The Biometric Threat: Some Preventative Measures
By Ned Hayes
We live in an age where personal information is difficult to protect, and passwords are far from unbreakable. Recently, IBM surveyed nearly 4,000 people and learned that 67% are comfortable using biometrics, and 87% would be comfortable using biometric authentication in the future. Millennials are particularly comfortable with biometric security, with 75% reporting that they’re at ease with today’s technology.
In fact, if you used a fingertip scan to log into your phone to read this article, you just used biometrics to verify your identity. From passwords to PINs to tokens, there are many ways we provide credentials, but no method has grown in popularity more than biometrics. Biometrics have steadily moved in to replace document-based identities such as a driver’s license, physical credentials like swipe cards used for secure building access, and especially the username/password system that’s been in use since the dawn of the computer age.
Biometrics are also the future of background checks. Instead of submitting documents and identity in person, you can enroll your biometrics through several nationwide systems to instantly prove and verify your identity. FBI channelers use biometrics for regulated purposes and retrieve a criminal background check in near real-time. Fingerprints can even now be used for on-the-spot drug testing.
Today, customers of all sizes are increasingly providing biometric identifiers for verification, authentication, access, and secure transactions.
Are Biometrics Safe from Hacking?
It’s a lot easier for a hacker to crack the password you created that uses your dog’s name and your first child’s birthdate, but biometrics aren’t immune to hacking. Dolls, masks, and false faces can break some facial recognition systems. Philip Bontrager, a researcher at NYU, created a fingerprint that combined the characteristics of many fingerprints into one fake finger that contains multitudes. He calls this hack the “DeepMasterPrint.”
The DeepMasterPrint could be used to log into devices with only a single fingerprint authentication routine, such as a smartphone, a tablet, or even your home security system. What Bontrager did here was simply prove the obvious: Biometrics are hackable.
The Security Cold War
If you’re paying attention to the history of hacking security mechanisms, we all know how this story goes. Here’s the pattern of the security cold war:
- A secure system is hacked through one extremely complicated exploit, explained by academics.
- Security experts demonstrate solutions to the first hack and create an ongoing set of solutions designed to circumvent the first hack. Many consumers ignore this fix.
- Professional state actors or black hats use the same general method to hack unprotected systems, raising the bar on security professionals and system protection.
- Unfortunately, their efforts often go for naught as the original hack is replicated by script kiddies and used voluminously to steal identities, money, and goods.
- Eventually, we end up in a place where complicated solutions exist to prevent the original hack and all hacks that emerged out of the same system weakness.
This matrix has been replicated across multiple systems and functions over time. Right now, with biometric-based identity, we are at the early stage 1, and I’m here to provide stage 2—the security expert explains the need for protection and demonstrates a set of solutions. If people don’t ignore this set of fixes, it’s unlikely we’ll have to live in a world brought about by steps 3 – 5.
There are three critical behaviors that can almost entirely mitigate the threat exposed by the new biometric exploits. These three best practices can help mitigate the problem of biometric vulnerabilities for organizations who require secure identification and authentication.
Enroll at High Fidelity
One low-fidelity biometric (like those used by smartphone scanners) isn’t satisfactory for high-security authentication. Enroll multiple fingerprints through a high-fidelity enrollment mechanism like a certified FBI channeler. This group of companies enrolls at a much higher standard of fidelity than those exploited in the DeepMasterPrint hack.
If you are using facial geometry and iris scans for access or identity, then it is equally important to use a high-fidelity system to enroll the faces you wish to recognize. Enroll with many points, and then you can easily cross-check at low fidelity with a great deal of assurance of valid identity.
Use Multi-factor Biometric Solutions
Even better, use a system that enrolls not only fingerprints, but also enrolls facial geometry and/or iris scans. In a later verification scenario, if the fingerprints match the face, and the face matches the documents, you have a multi-factor identity which is hard to hack.
Multi-factor authentication combines several factors like multiple fingerprints, facial recognition, or voice recognition. Don’t just use one type of biometric: ensure that both the eyes, and the fingers and the palm print all belong to the same person. A single finger on a pad or a single face read by a camera shouldn’t be enough to grant access to any high-security device, software, or facility.
Put a Human in the Loop
Machine learning and AI can only take you so far in terms of protecting your assets or your facility. A person is often the ultimate biometric checking device.
Don’t rely on an autonomous system to proof-check biometric identity. Instead, have a real person show up and check the identity. Having a person involved in real-time increases security and adds accountability.
The Future of Biometric Hacks
Any identity-proofing technology in its early deployment stages is prone to security exploits. But it’s worth noting that most of the rest of the threat matrix doesn’t apply to the case of biometrics when they are used comprehensively and in a manner that cross-references each other.
That’s because biometrics are a fundamentally different class of identity proofing and are a magnitude harder to replicate and deploy at scale. Creating fake fingertips for every human being on Earth is an astronomically hard problem, and creating fake irises and fake faces is arguably even harder.
When used in combination as a multi-factor identity, enrolled at high fidelity, biometrics provide a safeguard against identity hacks that remains nearly unassailable.
About the Author
Ned Hayes is the General Manager for SureID, and a Vice President at Sterling. He was educated at Stanford University Graduate School of Business and the Rainier Writing Workshop. He has also studied cyborg identity and robotic ethics at the Graduate Theological Union at UC Berkeley.
Learn more about Sterling’s SureID: https://www.sureid.com/
LinkedIn: https://www.linkedin.com/company/sureid-com/Twitter: @SureID
Ned is a technologist, identity researcher and author. His most recent novel was the national bestseller The Eagle Tree, which was nominated for the Pacific Northwest Booksellers Award, the PEN/Faulkner, the Washington State Book Award, and was named one of the top five books about the autistic experience.
He co-founded the technology company TeleTrust and was the founding product lead for Paul Allen’s ARO team at Vulcan. He has also provided product direction for new technology innovation at Xerox PARC, Intel, Microsoft, and Adobe, and has contributed to a variety of technology patents for these companies.